CVE-2025-15260
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to manipulate loyalty program rules in the MyRewards plugin. Attackers can modify, add, or delete earning rules and set point multipliers to arbitrary values. All WordPress sites using MyRewards plugin versions up to 5.6.0 are affected.
💻 Affected Systems
- MyRewards – Loyalty Points and Rewards for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could grant themselves unlimited loyalty points, leading to fraudulent purchases, inventory depletion, or financial loss through reward redemptions.
Likely Case
Attackers manipulate point multipliers to gain unfair advantages in loyalty programs, potentially redeeming high-value rewards without legitimate purchases.
If Mitigated
With proper access controls and monitoring, impact is limited to minor point manipulation that can be detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX requests. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MyRewards – Loyalty Points and Rewards for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.6.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the MyRewards plugin until patched to prevent exploitation
wp plugin deactivate woorewards
Restrict User Registration
allTemporarily disable new user registration to limit attack surface
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement strict user role management and review all subscriber-level accounts
- Monitor loyalty point transactions and set alerts for abnormal point accumulation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → MyRewards plugin version. If version is 5.6.0 or lower, you are vulnerable.Check Version:
wp plugin get woorewards --field=versionVerify Fix Applied:
After updating, verify plugin version shows 5.6.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to woorewards endpoints from subscriber accounts
- Sudden changes to loyalty point rules or multipliers
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with woorewards action parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "woorewards" AND ("action=edit" OR "action=add" OR "action=delete")